5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.

5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.

+

+

The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary.

Overview

This page provides a quick start reference on how to setup a fast, modern, secure VPN tunnel using WireGuard on NST.

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It tends to outperform OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

WireGuard aims to be as easy to configure and deploy as SSH. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between IP Addresses, just like Mosh. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.

WireGuard Detailed Command-Line Setup

One can follow the detailed setup for a WireGuard VPN on its main site: Quick Start. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.

NST Quick WireGuard VPN Setup

NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "/etc/wireguard".

Example VPN Setup Steps

In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a NATed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.

***Note: All WireGuard VPN configuration and command execution requires "root" access. One can "su -" to the "root" user or use the "sudo" command with the "nst" user for configuration and command execution. The "root" user was used for this example VPN setup.

NST Server Side:

Server Address: "10.55.55.1"

Host Name: "shopper2"

Public IP Address: "102.5.221.22" (***Note: Use the command: "getipaddr -f -p" to get your public IP Address)

WireGuard UDP VPN Listen Port: "51820"

WireGuard Virtual Interface: "wg0"

VPN Allowed IP Address: "10.55.55.2/32"

NST Client Side:

Client Address: "10.55.55.2"

Host Name: "pktcap28"

WireGuard Virtual Interface: "wg0"

VPN Allowed IP Addresses: "10.55.55.0/24"

WireGuard Server Endpoint Setup

Do the following steps on the NST server side (shopper2):

1) Change directory to the WireGuard configuration location where the templates and key generation files are found:

5) Now substitute in both the Server side public key: "-SERVER PUBLIC KEY-" and the public IP Address of the Server: "public.ip.of.server" name placeholders.

The "public.ip.of.server" name placeholder can also be a "FQDN". If both the client and server are on the same LAN, this is the IP Address of the server's LAN facing interface and not the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary.

***Note: At this point all template name placeholders have been filled in.

WireGuard VPN Firewall Rule Changes and IP Forwarding

Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "51820" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: Wireguard VPN: Typical Setup covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.

***Note: Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "51820" for this example VPN to be established and work properly.

Bring Up WireGuard VPN

Use the "wg-quick" command to bring up the WireGuard VPN on the Server side:

WireGuard VPN Automation

The WireGuard package includes a systemd template unit script to automate the starting of the VPN when bringing up an NST system.

On Server side:

[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;

On Client side:

[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;

Server With Multiple Clients/Peers

It is possible to have multiple client (peer) connections to the same server interface (wg0 for example). In order to accomplish this, you will need to:

Create a unique private/public key for each client (peer).

Add multiple [Peer] sections to the wg0.conf file.

Make sure that the AllowedIps setting for each peer entry do not overlap.

The following sections provide details on a configuration where the server has an IPv4 address of 10.55.55.1 associated with the wg0 interface and allows 3 clients (10.55.55.10, 10.55.55.11 and 10.55.55.12). Do NOT use these configurations verbatim, they are only examples.

The EndPoint parameter must be changed from wg.networksecuritytoolkit.org:51820 to the address address associated with your server (this typically involves opening a UDP hole in your firewall).

It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).

It is recommended to use a port other than 51820 (something different than this public example).

It is highly recommended that you generate your own server and client private/public key pairs.

Server Configuration (10.55.55.1)

The following /etc/wireguard/wg0.conf configuration would set the server's IPv4 address to 10.55.55.1 and allow 3 simultaneous clients (10.55.55.10, 10.55.55.11 and 10.55.55.12).